Test 391/u and 391/p from ubuntu_bpf failed on B

Bug #1841704 reported by Po-Hsu Lin on 2019-08-28
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Undecided
Unassigned
linux (Ubuntu)
Undecided
Unassigned
Bionic
High
Tyler Hicks

Bug Description

#391/u bounds checks mixing signed and unsigned, variant 14 FAIL
  Unexpected error message!
  0: (61) r9 = *(u32 *)(r1 +8)
  1: (7a) *(u64 *)(r10 -8) = 0
  2: (bf) r2 = r10
  3: (07) r2 += -8
  4: (18) r1 = 0x0
  6: (85) call bpf_map_lookup_elem#1
  7: (15) if r0 == 0x0 goto pc+8
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R9=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0
  8: (7a) *(u64 *)(r10 -16) = -8
  9: (79) r1 = *(u64 *)(r10 -16)
  10: (b7) r2 = -1
  11: (b7) r8 = 2
  12: (15) if r9 == 0x2a goto pc+6
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0) R2=inv-1 R8=inv2 R9=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0
  13: (6d) if r8 s> r1 goto pc+3
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0,umin_value=2,umax_value=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff)) R2=inv-1 R8=inv2 R9=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0
  14: (65) if r1 s> 0x1 goto pc+2
  17: (b7) r0 = 0
  18: (95) exit

  from 13 to 17: safe

  from 12 to 19: R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0) R2=inv-1 R8=inv2 R9=inv42 R10=fp0
  19: (2d) if r1 > r2 goto pc-3
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0) R2=inv-1 R8=inv2 R9=inv42 R10=fp0
  20: (05) goto pc-7
  14: (65) if r1 s> 0x1 goto pc+2
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0,smax_value=1) R2=inv-1 R8=inv2 R9=inv42 R10=fp0
  15: (0f) r0 += r1
  R1 has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root

  #391/p bounds checks mixing signed and unsigned, variant 14 FAIL
  Unexpected error message!
  0: (61) r9 = *(u32 *)(r1 +8)
  1: (7a) *(u64 *)(r10 -8) = 0
  2: (bf) r2 = r10
  3: (07) r2 += -8
  4: (18) r1 = 0xffff9391367ba400
  6: (85) call bpf_map_lookup_elem#1
  7: (15) if r0 == 0x0 goto pc+8
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R9=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0
  8: (7a) *(u64 *)(r10 -16) = -8
  9: (79) r1 = *(u64 *)(r10 -16)
  10: (b7) r2 = -1
  11: (b7) r8 = 2
  12: (15) if r9 == 0x2a goto pc+6
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0) R2=inv-1 R8=inv2 R9=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0
  13: (6d) if r8 s> r1 goto pc+3
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0,umin_value=2,umax_value=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff)) R2=inv-1 R8=inv2 R9=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0
  14: (65) if r1 s> 0x1 goto pc+2
  17: (b7) r0 = 0
  18: (95) exit

  from 13 to 17: safe

  from 12 to 19: R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0) R2=inv-1 R8=inv2 R9=inv42 R10=fp0
  19: (2d) if r1 > r2 goto pc-3
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0) R2=inv-1 R8=inv2 R9=inv42 R10=fp0
  20: (05) goto pc-7
  14: (65) if r1 s> 0x1 goto pc+2
   R0=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1=inv(id=0,smax_value=1) R2=inv-1 R8=inv2 R9=inv42 R10=fp0
  15: (0f) r0 += r1
  math between map_value pointer and register with unbounded min value is not allowed

Test result with older kernel:
  #391/u bounds checks mixing signed and unsigned, variant 15 OK
  #391/p bounds checks mixing signed and unsigned, variant 15 OK

The test has passed but the variant number is different.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-60-generic 4.15.0-60.67
ProcVersionSignature: User Name 4.15.0-60.67-generic 4.15.18
Uname: Linux 4.15.0-60-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Aug 28 02:49 seq
 crw-rw---- 1 root audio 116, 33 Aug 28 02:49 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay'
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CurrentDmesg:

Date: Wed Aug 28 02:58:14 2019
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig'
Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:

ProcFB: 0 cirrusdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-60-generic root=UUID=576666e8-9e7f-40ee-934e-f1dce18323e5 ro
RelatedPackageVersions:
 linux-restricted-modules-4.15.0-60-generic N/A
 linux-backports-modules-4.15.0-60-generic N/A
 linux-firmware 1.173.10
RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU

CVE References

Po-Hsu Lin (cypressyew) wrote :
summary: - Test 391/u from ubuntu_bpf failed on B
+ Test 391/u and 391/p from ubuntu_bpf failed on B
description: updated

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1841704

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Bionic):
status: New → Incomplete
Changed in linux (Ubuntu Bionic):
status: Incomplete → Confirmed

The bug was introduced by the following commit backported from the upstream stable 4.19.y:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/commit/?h=master-next&id=c779b6c6b215bc3b3b7fcb39ab62f816bd6dfb75

The mainline commit changes also test_verifier.c from bpf self_tests:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f7b3e82589e0de723780198ec7983e427144c0a

However, changing the expected error message for test #391 seems to be not enough, since 391/u failed with a different error message (R1 has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root).

Tyler Hicks (tyhicks) wrote :

Fix submitted: https://lists.ubuntu.com/archives/kernel-team/2019-August/103448.html

The problem is purely in the selftests and not a problem with the kernel build itself. This failure should *not* block the SRU.

Changed in linux (Ubuntu Bionic):
importance: Undecided → High
assignee: nobody → Tyler Hicks (tyhicks)
status: Confirmed → In Progress
Changed in linux (Ubuntu):
status: Incomplete → Invalid
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew) on 2019-09-05
tags: added: ubuntu-bpf

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Po-Hsu Lin (cypressyew) wrote :

Verified with 4.15.0-63.72, test passed.
Thanks.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Changed in ubuntu-kernel-tests:
status: New → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (20.2 KiB)

This bug was fixed in the package linux - 4.15.0-65.74

---------------
linux (4.15.0-65.74) bionic; urgency=medium

  * bionic/linux: 4.15.0-65.74 -proposed tracker (LP: #1844403)

  * arm64: large modules fail to load (LP: #1841109)
    - arm64/kernel: kaslr: reduce module randomization range to 4 GB
    - arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419
    - arm64: fix undefined reference to 'printk'
    - arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp
    - [config] Remove CONFIG_ARM64_MODULE_CMODEL_LARGE

  * CVE-2018-20976
    - xfs: clear sb->s_fs_info on mount failure

  * br_netfilter: namespace sysctl operations (LP: #1836910)
    - net: bridge: add bitfield for options and convert vlan opts
    - net: bridge: convert nf call options to bits
    - netfilter: bridge: port sysctls to use brnf_net
    - netfilter: bridge: namespace bridge netfilter sysctls
    - netfilter: bridge: prevent UAF in brnf_exit_net()

  * tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (LP: #1830756)
    - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE

  * Bionic update: upstream stable patchset 2019-08-30 (LP: #1842114)
    - HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
    - MIPS: kernel: only use i8253 clocksource with periodic clockevent
    - mips: fix cacheinfo
    - netfilter: ebtables: fix a memory leak bug in compat
    - ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
    - bonding: Force slave speed check after link state recovery for 802.3ad
    - can: dev: call netif_carrier_off() in register_candev()
    - ASoC: Fail card instantiation if DAI format setup fails
    - st21nfca_connectivity_event_received: null check the allocation
    - st_nci_hci_connectivity_event_received: null check the allocation
    - ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
    - net: usb: qmi_wwan: Add the BroadMobi BM818 card
    - qed: RDMA - Fix the hw_ver returned in device attributes
    - isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in
      start_isoc_chain()
    - netfilter: ipset: Fix rename concurrency with listing
    - isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
    - perf bench numa: Fix cpu0 binding
    - can: sja1000: force the string buffer NULL-terminated
    - can: peak_usb: force the string buffer NULL-terminated
    - net/ethernet/qlogic/qed: force the string buffer NULL-terminated
    - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
    - HID: input: fix a4tech horizontal wheel custom usage
    - SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL
    - net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
    - net: hisilicon: make hip04_tx_reclaim non-reentrant
    - net: hisilicon: fix hip04-xmit never return TX_BUSY
    - net: hisilicon: Fix dma_map_single failed on arm64
    - libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
    - libata: add SG safety checks in SFF pio transfers
    - x86/lib/cpu: Address missing prototypes warning
    - drm/vmwgfx: fix memory leak when too many retries have occurred
    - perf ftrace: Fix failure to set cpuma...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers